From patchwork Sun Sep 14 13:47:53 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eli Cohen X-Patchwork-Id: 4901411 Return-Path: X-Original-To: patchwork-linux-rdma@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 8BC02BEEA5 for ; Sun, 14 Sep 2014 13:48:14 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id B2F4820220 for ; Sun, 14 Sep 2014 13:48:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E012420200 for ; Sun, 14 Sep 2014 13:48:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752517AbaINNsL (ORCPT ); Sun, 14 Sep 2014 09:48:11 -0400 Received: from mail-wg0-f41.google.com ([74.125.82.41]:46251 "EHLO mail-wg0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752494AbaINNsL (ORCPT ); Sun, 14 Sep 2014 09:48:11 -0400 Received: by mail-wg0-f41.google.com with SMTP id k14so2772250wgh.12 for ; Sun, 14 Sep 2014 06:48:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=D1oI3FHRq6fkMvj7IF1K6BPbgPz5CKTujQ58BGYMMns=; b=NWgtSYNuB4mJXxHxZCVywM9wHidf3SbaezxyVfETlzna6+STTzmv3v8wTM3vlioPzu yslrv4RATI6OekCtwTrEHEIWnYEFxldwI2r9n9yhaezUh3cX6+XS0lBmo83NCSLZnTab Mg7wepaGhVW3Mbwr6AMZbiGMUkBsyDpe/wAxClQNevHWzMW0I9JGrWX89RZSWUq0MK+8 cOlr++FFiGkD8w2YM4eFcntHBAx5EQ2sH6i62y03LXBVqOOi7mASrQ4RZeghqE/JorrC 0QaS9a2PaY+3a1VeQFHOxPHIijgew0QZ9Dgcc8QY0UU/7BrEg8ygl5OkKRjd7+N8z9tF DRig== X-Gm-Message-State: ALoCoQkeAr/RSAgF8MJZVFGbfq4wjb+EGZa4Io6O4v9qP9GZ8mAIjnfYA/1LQtNogTSeP57l8TgY X-Received: by 10.194.19.200 with SMTP id h8mr25423139wje.40.1410702489386; Sun, 14 Sep 2014 06:48:09 -0700 (PDT) Received: from localhost (out.voltaire.com. [193.47.165.251]) by mx.google.com with ESMTPSA id s2sm11259852wjz.8.2014.09.14.06.48.08 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Sun, 14 Sep 2014 06:48:08 -0700 (PDT) From: Eli Cohen X-Google-Original-From: Eli Cohen To: roland@kernel.org, dledford@redhat.com Cc: linux-rdma@vger.kernel.org, ogerlitz@mellanox.com, amirv@mellanox.com, Eli Cohen Subject: [PATCH for-next 4/6] IB/mlx5: Fix possible array overflow Date: Sun, 14 Sep 2014 16:47:53 +0300 Message-Id: <1410702475-28826-5-git-send-email-eli@mellanox.com> X-Mailer: git-send-email 2.1.0 In-Reply-To: <1410702475-28826-1-git-send-email-eli@mellanox.com> References: <1410702475-28826-1-git-send-email-eli@mellanox.com> Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Spam-Status: No, score=-7.5 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The check to verify that userspace does not provide an invalid index to the micro UAR was placed too late. Fix this by moving the check before using the index. Reported by: Shachar Raindel Signed-off-by: Eli Cohen --- drivers/infiniband/hw/mlx5/main.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index ecd3aebc46fe..a24431746377 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -650,13 +650,13 @@ static int mlx5_ib_mmap(struct ib_ucontext *ibcontext, struct vm_area_struct *vm return -EINVAL; idx = get_index(vma->vm_pgoff); + if (idx >= uuari->num_uars) + return -EINVAL; + pfn = uar_index2pfn(dev, uuari->uars[idx].index); mlx5_ib_dbg(dev, "uar idx 0x%lx, pfn 0x%llx\n", idx, (unsigned long long)pfn); - if (idx >= uuari->num_uars) - return -EINVAL; - vma->vm_page_prot = pgprot_writecombine(vma->vm_page_prot); if (io_remap_pfn_range(vma, vma->vm_start, pfn, PAGE_SIZE, vma->vm_page_prot))